'\" t
.\"     Title: createuser
.\"    Author: The PostgreSQL Global Development Group
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
.\"      Date: 2011-12-01
.\"    Manual: PostgreSQL 9.1.2 Documentation
.\"    Source: PostgreSQL 9.1.2
.\"  Language: English
.\"
.TH "CREATEUSER" "1" "2011-12-01" "PostgreSQL 9.1.2" "PostgreSQL 9.1.2 Documentation"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
createuser \- define a new PostgreSQL user account
.\" createuser
.SH "SYNOPSIS"
.HP \w'createuser\ 'u
createuser [\fIconnection\-option\fR...] [\fIoption\fR...] [\fIusername\fR]
.SH "DESCRIPTION"
.PP

createuser
creates a new
PostgreSQL
user (or more precisely, a role)\&. Only superusers and users with
CREATEROLE
privilege can create new users, so
createuser
must be invoked by someone who can connect as a superuser or a user with
CREATEROLE
privilege\&.
.PP
If you wish to create a new superuser, you must connect as a superuser, not merely with
CREATEROLE
privilege\&. Being a superuser implies the ability to bypass all access permission checks within the database, so superuserdom should not be granted lightly\&.
.PP

createuser
is a wrapper around the
SQL
command
CREATE ROLE (\fBCREATE_ROLE\fR(7))\&. There is no effective difference between creating users via this utility and via other methods for accessing the server\&.
.SH "OPTIONS"
.PP

createuser
accepts the following command\-line arguments:
.PP
\fIusername\fR
.RS 4
Specifies the name of the
PostgreSQL
user to be created\&. This name must be different from all existing roles in this
PostgreSQL
installation\&.
.RE
.PP
\fB\-c \fR\fB\fInumber\fR\fR, \fB\-\-connection\-limit=\fR\fB\fInumber\fR\fR
.RS 4
Set a maximum number of connections for the new user\&. The default is to set no limit\&.
.RE
.PP
\fB\-d\fR, \fB\-\-createdb\fR
.RS 4
The new user will be allowed to create databases\&.
.RE
.PP
\fB\-D\fR, \fB\-\-no\-createdb\fR
.RS 4
The new user will not be allowed to create databases\&.
.RE
.PP
\fB\-e\fR, \fB\-\-echo\fR
.RS 4
Echo the commands that
createuser
generates and sends to the server\&.
.RE
.PP
\fB\-E\fR, \fB\-\-encrypted\fR
.RS 4
Encrypts the user\*(Aqs password stored in the database\&. If not specified, the default password behavior is used\&.
.RE
.PP
\fB\-i\fR, \fB\-\-inherit\fR
.RS 4
The new role will automatically inherit privileges of roles it is a member of\&. This is the default\&.
.RE
.PP
\fB\-I\fR, \fB\-\-no\-inherit\fR
.RS 4
The new role will not automatically inherit privileges of roles it is a member of\&.
.RE
.PP
\fB\-l\fR, \fB\-\-login\fR
.RS 4
The new user will be allowed to log in (that is, the user name can be used as the initial session user identifier)\&. This is the default\&.
.RE
.PP
\fB\-L\fR, \fB\-\-no\-login\fR
.RS 4
The new user will not be allowed to log in\&. (A role without login privilege is still useful as a means of managing database permissions\&.)
.RE
.PP
\fB\-N\fR, \fB\-\-unencrypted\fR
.RS 4
Does not encrypt the user\*(Aqs password stored in the database\&. If not specified, the default password behavior is used\&.
.RE
.PP
\fB\-P\fR, \fB\-\-pwprompt\fR
.RS 4
If given,
createuser
will issue a prompt for the password of the new user\&. This is not necessary if you do not plan on using password authentication\&.
.RE
.PP
\fB\-r\fR, \fB\-\-createrole\fR
.RS 4
The new user will be allowed to create new roles (that is, this user will have
CREATEROLE
privilege)\&.
.RE
.PP
\fB\-R\fR, \fB\-\-no\-createrole\fR
.RS 4
The new user will not be allowed to create new roles\&.
.RE
.PP
\fB\-s\fR, \fB\-\-superuser\fR
.RS 4
The new user will be a superuser\&.
.RE
.PP
\fB\-S\fR, \fB\-\-no\-superuser\fR
.RS 4
The new user will not be a superuser\&.
.RE
.PP
\fB\-V\fR, \fB\-\-version\fR
.RS 4
Print the
createuser
version and exit\&.
.RE
.PP
\fB\-?\fR, \fB\-\-help\fR
.RS 4
Show help about
createuser
command line arguments, and exit\&.
.RE
.PP
You will be prompted for a name and other missing information if it is not specified on the command line\&.
.PP

createuser
also accepts the following command\-line arguments for connection parameters:
.PP
\fB\-h \fR\fB\fIhost\fR\fR, \fB\-\-host=\fR\fB\fIhost\fR\fR
.RS 4
Specifies the host name of the machine on which the server is running\&. If the value begins with a slash, it is used as the directory for the Unix domain socket\&.
.RE
.PP
\fB\-p \fR\fB\fIport\fR\fR, \fB\-\-port=\fR\fB\fIport\fR\fR
.RS 4
Specifies the TCP port or local Unix domain socket file extension on which the server is listening for connections\&.
.RE
.PP
\fB\-U \fR\fB\fIusername\fR\fR, \fB\-\-username=\fR\fB\fIusername\fR\fR
.RS 4
User name to connect as (not the user name to create)\&.
.RE
.PP
\fB\-w\fR, \fB\-\-no\-password\fR
.RS 4
Never issue a password prompt\&. If the server requires password authentication and a password is not available by other means such as a
\&.pgpass
file, the connection attempt will fail\&. This option can be useful in batch jobs and scripts where no user is present to enter a password\&.
.RE
.PP
\fB\-W\fR, \fB\-\-password\fR
.RS 4
Force
createuser
to prompt for a password (for connecting to the server, not for the password of the new user)\&.
.sp
This option is never essential, since
createuser
will automatically prompt for a password if the server demands password authentication\&. However,
createuser
will waste a connection attempt finding out that the server wants a password\&. In some cases it is worth typing
\fB\-W\fR
to avoid the extra connection attempt\&.
.RE
.SH "ENVIRONMENT"
.PP
\fBPGHOST\fR, \fBPGPORT\fR, \fBPGUSER\fR
.RS 4
Default connection parameters
.RE
.PP
This utility, like most other
PostgreSQL
utilities, also uses the environment variables supported by
libpq
(see
Section 31.13, \(lqEnvironment Variables\(rq, in the documentation)\&.
.SH "DIAGNOSTICS"
.PP
In case of difficulty, see
CREATE ROLE (\fBCREATE_ROLE\fR(7))
and
\fBpsql\fR(1)
for discussions of potential problems and error messages\&. The database server must be running at the targeted host\&. Also, any default connection settings and environment variables used by the
libpq
front\-end library will apply\&.
.SH "EXAMPLES"
.PP
To create a user
joe
on the default database server:
.sp
.if n \{\
.RS 4
.\}
.nf
$ \fBcreateuser joe\fR
Shall the new role be a superuser? (y/n) \fBn\fR
Shall the new role be allowed to create databases? (y/n) \fBn\fR
Shall the new role be allowed to create more new roles? (y/n) \fBn\fR
.fi
.if n \{\
.RE
.\}
.PP
To create the same user
joe
using the server on host
eden, port 5000, avoiding the prompts and taking a look at the underlying command:
.sp
.if n \{\
.RS 4
.\}
.nf
$ \fBcreateuser \-h eden \-p 5000 \-S \-D \-R \-e joe\fR
CREATE ROLE joe NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;
.fi
.if n \{\
.RE
.\}
.PP
To create the user
joe
as a superuser, and assign a password immediately:
.sp
.if n \{\
.RS 4
.\}
.nf
$ \fBcreateuser \-P \-s \-e joe\fR
Enter password for new role: \fBxyzzy\fR
Enter it again: \fBxyzzy\fR
CREATE ROLE joe PASSWORD \*(Aqmd5b5f5ba1a423792b526f799ae4eb3d59e\*(Aq SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;
.fi
.if n \{\
.RE
.\}
.sp
In the above example, the new password isn\*(Aqt actually echoed when typed, but we show what was typed for clarity\&. As you see, the password is encrypted before it is sent to the client\&. If the option
\fB\-\-unencrypted\fR
is used, the password
\fIwill\fR
appear in the echoed command (and possibly also in the server log and elsewhere), so you don\*(Aqt want to use
\fB\-e\fR
in that case, if anyone else can see your screen\&.
.SH "SEE ALSO"
\fBdropuser\fR(1), CREATE ROLE (\fBCREATE_ROLE\fR(7))
